Be Prepared: Journalists and Security Researchers
by Uli Ries
A professional journalist, Uli Ries, has sent me some additional information which he hopes will “raise some awareness for the journo’s situation. This will help the researcher to handle the situation a lot better”. So the below is from his email to me, with the intention of helping security researchers understand how journalists operate and what they are trying to achieve in the performance of their job.
[note: I’ve butchered the email quite a bit, so any errors are my own]
Journos might seem to be sensationalist and ignorant. This is not quite true (most of the time at least), but to attract readers a journalist has to find the most interesting part of the story — oldest, biggest, newest, worst. These aspects attract attention. Everything else might make good reading for the scientific community but it doesn’t sell papers. I dont know if this is the media’s fault or if the readers/viewers demand such shallowness. Whatever the cause, this is the way it is. Researchers will have to work within the constraints of the journalist’s world.
There are some negative aspects about a journo’s work which might influence the relationship with a researcher:
- Journos are always late and trying to meet deadlines. So they are stressed; this has mostly nothing to do with being unorganized. Instead it is a side effect of how the media works.
- Many media outlets publish Oracle style: publish first, patch later. This is a side effect of online publishing medium. It is easy to issue an update (that no one ever reads).
- Journos will often try to find conflict Hackers vs software vendors, hackers vs NSA, hackers vs hackers, hackers vs kittens etc. That kind of story makes an interesting read.
Important things to remember when dealing with a journalist:
- The media is not your friend - but it is not your enemy either.
- Speak the truth, or keep your mouth shut.
- Take reporters seriously even if they seem to be weirdos. Never underestimate the power those weirdos have with their publication.
- Never say/write/think “No comment”. It always means “yes”, or “I have something to hide”
More on vetting the journo:
- Always check the technical expertise of the journo. Not all of them know crypto backwards and forwards or can tell the difference between SSL, TLS and WTF. The less technical the answer, the higher the risk of a major misunderstanding or a real fuck-up. Educate the journo without being patronising
- Not every blogger is a journalist. Fully qualified journalists should know the rules about OTR, Chatham House rules, etc. Bloggers might not give a shit about those. Either because they don’t know the rules or because they simply don’t give a shit.
What’s the Story?
Try to find out as much as possible about the story the journo is producing.
- What type of story is it going to be? A quick news piece, a longer feature, an opinion piece (be extra careful with that kind of articles)
- What will it be about?
- Are your answers needed to drive a certain message home?
- Are your answer going to be the main aspect of the story or just a minor one?
- Who else is going to be quoted in the story?
Information about these details will help to prevent your quotes from being taken out of context (or: the context in which you thought they should be published). The classic example of this is when a journalist called up the British ambassador in some country and asked “what would you like for Christmas?”, to which the ambassador responded “some buttermilk biscuits”. The next day the story appears in the papers: The German ambassador has asked “for world peace”, this Christmas. The French ambassador wishes for “peace and happiness around the world”, and the British ambassador wants “some buttermilk biscuits”.
- Is it going to be live or a recording?
- Never agree to answer questions on the spot. Always demand at least 30 minutes (depending on the complexity of the subject) to prepare your answers. If the journo does’t want to wait: bad luck for them.
- If the journo does not keep his/her promises regarding OTR etc:
followerpower. Let the world know that something went wrong. Sent the
link to the story to your followers together with your side of the
story. This will have two effects:
- Others are warned that the journo is a douche.
- Others will learn from your mistakes.
How to deal with your quotes
Ideally you want to get a copy of the final story before it is publish so you can correct the quotes attributed to you, correct errors and otherwise perform damage control. Unfortunately, this is the real world and that will almost never happen. Sometimes you’ll get a copy 20 minutes before it is published, too late for damage control.
A more realistic approach is to ask for the section of the story in which your quotes appear; especially if you gave a phone interview or talked to a reporter at a conference; this is your only chance to ask for corrections. This is absolutely normal, and professional reporters will always do this pro actively. They want to avoid a correction (unless their media house works Oracle style)